Traefik 3 Tailscale integration for TLS with docker compose for FastAPI container help needed

1

I am trying to get the Tailscale Traefik 3 integration for automated cert generation as is described by the blog post “Exploring the Tailscale-Traefik Integration | Traefik Labs”, which for some irritating reason this forum will not let me include the stupid link to that blog.

I have a FastAPI Python app that runs fine on localhost : 8000 as well as the tailscale machinename : 8000, as well as tailscale machinename + ts net : 8000, but when trying https + machinename + dnsname ts net I get bad gateway and https + machinename produces a 404 page not found. (sorry for the odd url representation, this forum prevents including urls for some incredibly stupid reason)

The host Tailscale is installed is a Win11 system with Docker Desktop, with both the FastAPI app container and the WSL2 host being Ubuntu. Tailscale is not installed in the FastAPI container, but my Docker Desktop has the Tailscale extension, providing urls directly to the Traefik and FastAPI containers.

I ran the “tailscale cert machinename + dnsname.ts.net”, and have the following docker compose file:

version: "3.3"

networks:
  web:
    external: true
  internal:
    external: false

services:

  traefik:
    image: "traefik:v3.0"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=internal"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.address=:80"
      - "--certificatesresolvers.myresolver.tailscale=true"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
    networks:
      - web
      - internal

  web:
    build: ./src
    container_name: "web"
    command: |
      bash -c 'while !</dev/tcp/db/5432; do sleep 1; done; uvicorn app.main:app --reload --workers 4 --host 0.0.0.0 --port 8000'
    labels:
      - traefik.enable=true
      - traefik.http.routers.web.rule=Host(`*******.*******.ts.net`)
      - traefik.http.routers.web.tls.certresolver=myresolver
      - traefik.http.routers.web.entrypoints=websecure
    volumes:
      - ./src/:/home/app/web
    ports:
      # hostPort:containerPort
      - 8000:8000
    environment:
      - DATABASE_URL=postgresql://*****:*****@db/*****
    networks:
      - web
      - internal

  db:
    image: postgres:13-alpine
    container_name: "postgres"
    volumes:
      - postgres_data:/var/lib/postgresql/data/
    expose:
      - 5432
    environment:
      - POSTGRES_USER=*****
      - POSTGRES_PASSWORD=*****
      - POSTGRES_DB=*****    
    networks:
      - internal

volumes:
  postgres_data:

Anyone have any suggestions? Anything odd with the docker compose? I’ve been spinning my wheels and need some help.

2

I am having the same issue. I have tried it on Windows, MacOS and Ubuntu. No luck.

The Error

Unable to fetch certificate for domain "test.magicDNS.ts.net" error="Get \"http://local-tailscaled.sock/localapi/v0/cert/test.magicDNS.ts.net?type=pair\": dial unix /var/run/tailscale/tailscaled.sock: connect: connection refused" providerName=ts.tailscale

Traefik Version

Version:      3.0.0-beta3
Codename:     beaufort
Go version:   go1.20.5
Built:        2023-06-22T08:58:13Z
OS/Arch:      linux/amd64

Docker Compose File

networks:
  web:
    name: web
  internal:
    name: internal

volumes:
  portainer_data:
    name: portainer_data

services:

  traefik:
    image: "traefik:v3.0"
    container_name: "traefik-proxy"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.network=internal"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.address=:80"
      - "--certificatesresolvers.ts.tailscale=true"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro
    networks:
      - web
      - internal

  portainer:
    container_name: "portainer"
    image: portainer/portainer-ce:latest
    privileged: true
    labels:
      - traefik.enable=true
      - traefik.http.routers.portainer.tls.certresolver=ts
      - traefik.http.routers.portainer.tls.domains[0].main=test.magicDNS.ts.net
      - traefik.http.services.portainer.loadbalancer.server.port=9443
      - traefik.http.routers.portainer.entrypoints=websecure
    volumes:
      - portainer_data:/data
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - web
      - internal

Traefik Logs

traefik-proxy  | 2023-07-18T07:31:22Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:298 > Creating server entryPointName=websecure routerName=portainer@docker serverName=da31ccb7ca44fb42 serviceName=portainer@docker target=http://172.19.0.3:9443
traefik-proxy  | 2023-07-18T07:31:22Z DBG github.com/traefik/traefik/v3/pkg/middlewares/tracing/forwarder.go:26 > Added outgoing tracing middleware entryPointName=websecure middlewareName=tracing middlewareType=TracingForwarder routerName=portainer@docker serviceName=portainer
traefik-proxy  | 2023-07-18T07:31:22Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik-proxy  | 2023-07-18T07:31:22Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:235 > Adding route for portainer-docker with TLS options default entryPointName=websecure
traefik-proxy  | 2023-07-18T07:31:22Z ERR github.com/traefik/traefik/v3/pkg/provider/tailscale/provider.go:249 > Unable to fetch certificate for domain "test.magicDNS.ts.net" error="Get \"http://local-tailscaled.sock/localapi/v0/cert/test.magicDNS.ts.net?type=pair\": dial unix /var/run/tailscale/tailscaled.sock: connect: connection refused" providerName=ts.tailscale
traefik-proxy  | 2023-07-18T07:31:22Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:118 > Skipping empty configuration providerName=ts.tailscale